Special attention should be paid to gateway or firewall systems,
as they usually control access to the services running on the
entire network. Such gateways should be identified, its function
within the network shouild be assessed and owners or administrators
should be identified. These hosts, often referred to as
``bastion hosts'' are a prime target for an intruder. They should
be some of the most fortified machines on the network.

Be sure to regularly review the current access policies and security
of the system itself.

These ``systems'' should absolutely only be running the services
necessary to perform it's operation. Your firewall should not be your
mail server, web server, contain user accounts, etc. Some of the
things you should check for, and absolutely fortify on these hosts
include:

Turn off access to all but necessary services.

Depending on the type of firewall, disable IP Forwarding, preventing the
system from routing packets unless absolutely instructed to do so.

Be sure firewall policy includes mechanisms for preventing common attacks
such as IP Spoofing, Fragmentation attacks, Denial of Service, etc.

Monitor status very closely. You should develop a reference point in which
the machine normally operates to be able to detect variations which may indicate
an intrusion.

Develop a comprehensive firewall model. Firewalls should be treated as
a security system, not just a program that runs on a machine and has an access
control list. Firewall administration should be centrally controlled and evaluation
of firewall policies should be done prior to actual firewall deployment.

A vulnerability[2] has been discovered in the Cyrus implementation of the SASL library. The library honors the environment variable SASL_PATH blindly, which allows a local attacker to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5150.html

Distribution:

Debian

11/5/2004

shadow

unintended behaviour fix

A vulnerability has been discovered in the shadow suite which provides programs like chfn and chsh. It is possible for a user, who is logged in but has an expired password to alter his account information with chfn or chsh without having to change the password. The problem was originally thought to be more severe.
http://www.linuxsecurity.com/advisories/debian_advisory-5086.html

Due to debugging code left accidently in the FC3 udev package, SIGCHLD signals are blocked in udev, which prevents getting the proper exit status in udev.rules. This means no cdrom symlinks are created and pam_console does not apply desktop user ownerships to any cdrom devices.
http://www.linuxsecurity.com/advisories/fedora_advisory-5102.html

Multiple buffer overflows were reported in the libxml XML parsing library. These vulnerabilities may allow remote attackers to execute arbitray code via a long FTP URL that is not properly handled by the xmlNanoFTPScanURL() function, a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy() function, and other overflows in the code that resolves names via DNS.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5085.html

Karol Wiesek discovered a bug in the input validation routines in Samba 3.x used to match filename strings containing wildcard characters. This bug may allow a user to consume more than normal amounts of CPU cycles which would impact the performance and response of the server.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5149.html